CVSROOT: /cvs
Module name: xenocara
Changes by: matth...@cvs.openbsd.org 2016/10/04 08:59:47
Modified files:
lib/libXfixes/src: Region.c
Log message:
Integer overflow on illegal server response
The 32 bit field "rep.length" is not checked for validity, which allows
an integer overflow on 32 bit systems.
A malicious server could send INT_MAX as length, which gets multiplied
by the size of XRectangle. In that case the client won't read the whole
data from server, getting out of sync.
>From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
